Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

馃尡 Improve github actions dependencies versions and permissions #2715

Merged
merged 1 commit into from Mar 20, 2024
Merged

馃尡 Improve github actions dependencies versions and permissions #2715

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 13 additions & 2 deletions .github/workflows/golangci-lint.yml
View file
Open in desktop
Expand Up @@ -4,6 +4,15 @@ on:
types: [opened, edited, synchronize, reopened]
branches:
- main

permissions:
# Required: allow read access to the content for analysis.
contents: read
# Optional: allow read access to pull request. Use with `only-new-issues` option.
pull-requests: read
# Optional: Allow write access to checks to allow the action to annotate code in the PR.
checks: write

jobs:
golangci:
name: lint
Expand All @@ -14,13 +23,15 @@ jobs:
- ""
- tools/setup-envtest
steps:
- uses: actions/setup-go@v5
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
with:
go-version: '1.21'
cache: false
- uses: actions/checkout@v4
- name: golangci-lint
uses: golangci/golangci-lint-action@v4
uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # tag=v4.0.0
with:
version: v1.56.2
args: --out-format=colored-line-number
working-directory: ${{matrix.working-directory}}
2 changes: 1 addition & 1 deletion .github/workflows/pr-dependabot.yaml
View file
Open in desktop
Expand Up @@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4 # tag=v3.5.3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
with:
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/verify.yml
View file
Open in desktop
Expand Up @@ -2,13 +2,16 @@ on:
pull_request_target:
types: [opened, edited, reopened, synchronize]

permissions:
checks: write # Allow access to checks to write check runs.

jobs:
verify:
runs-on: ubuntu-latest
name: verify PR contents
steps:
- name: Verifier action
id: verifier
uses: kubernetes-sigs/kubebuilder-release-tools@v0.4.3
uses: kubernetes-sigs/kubebuilder-release-tools@012269a88fa4c034a0acf1ba84c26b195c0dbab4 # tag=v0.4.3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use the tags?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are pinned dependencies, to a hash. Versions might change the hash and that on its own has general security implications.

When updates are available, dependabot updates both the hash and the tag comment

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A while back dependabot didn't support updating tag comments, but since that's supported we've been using this in CAPI and it works perfectly

with:
github_token: ${{ secrets.GITHUB_TOKEN }}